PartyTicket ransomware technical analysis

Key points

PartyTicket is an unsophisticated and poorly designed ransomware family that is likely intended as a diversion from the Hermetic wiper attack
The ransomware generates a single AES key which is used to encrypt targeted files in GCM mode
Files are decryptable because the AES key is generated using a deterministic random function

Technical analysis

On February 23, 2022, a new family of sophisticated malware known as Hermetic Wiper was discovered targeting organizations in Ukraine with the aim of destroying data and disrupting operations. Hermetic Wiper appears to have been used in conjunction with another malware family that disguises itself as ransomware. This secondary malware known as PartyTicket has SHA256 4dc13bb83a16d4ff9865a51b3e4d24112327c526c1392e14d56f20d6f4eaf382 and was written using Go programming language. :59UTC.

PartyTicket is quite distinct from typical ransomware families in that the design and implementation seem rushed and unsophisticated. For example, PartyTicket does not terminate processes such as databases and other business applications before encryption. Therefore, the number of potential files that can be encrypted is limited because many applications may have open file handles. Additionally, the malware generates a 32-character alphanumeric key using the random function of the Go programming language, which is deterministic. Therefore, the AES encryption key can be retrieved and used to decrypt files. PartyTicket also stands out with many references that poke fun at US President Joe Biden, as seen in Figure 1.

Figure 1. PartyTicket code references mocking US President Joe Biden

The malware takes a single command line argument, which is the name of the file to encrypt. If the malware is launched without any arguments, it builds a list of files to encrypt. For each file in this list, the malware creates a new copy of itself using a name generated by calling the UUID library function Go, which is based on the current timestamp and the MAC address of the system.

The new copy of PartyTicket is then executed passing a filename to encrypt. This design choice is very strange because it slows down the system considerably, because a new process is created to encrypt each file. Additionally, the many copies of the malware that are created fill up disk space because the malware binary is larger than 3MB. Figure 2 shows an example of the many PartyTicket executables that were created during file encryption. .

Figure 2. Copies of PartyTicket executables during file encryption

PartyTicket lists all files that have the extensions shown in Table 1.

.docx

.doc

.point

.odt

.pdf

.xls

.xlsx

.rtf

.ppt

.pptx

.a

.xps

.pub

.vsd

.SMS

.jpg

.jpeg

.bmp

.ico

.png

.gif

.sql

.xml

.pgsql

.Zip *: French

.rar

.EXE

.msi

.vdi

.ova

.avi

.soak

.epub

.iso

.sfx

inc.

.contact

.url

.mp3

.wmv

.wma

.wtv

.Taxi

.acl

.cfg

.chm

.crt

.css

.dat

.dll

.html

.htm

Table 1. Extensions targeted by PartyTicket

Files located in the Windows and Program Files folders are ignored. Before file encryption, the targeted file is renamed with the .[[email protected]].encryptedJB as shown in Figure 3.

Figure 3. PartyTicket Encrypted File Extension Example

The malware embeds a hard-coded, Base64-encoded 2048-bit RSA key. The modulus and exponent once the string is Base64 decoded are as follows:

{“N”:,”E”:65537}

PartyTicket uses this RSA public key to encrypt the AES key used for file encryption. Files are encrypted with AES in GCM mode using a 32-byte alphanumeric string that is created using the Go math.rand.Int() function, which is deterministic and therefore not cryptographically secure. The encrypted file format consists of the first 12 bytes used as the AES-GCM nonce, followed by the AES-encrypted data, a 16-byte AES-GCM authentication tag, the RSA encrypted AES key, and finally the string marker ZVL2KH87ORH3OB1J1PO2SBHWJSNFSB4A.

Once each file is encrypted, the corresponding temporary copy of the ransomware is then deleted.

Ransom note is written on user’s desktop using file name read_me.html. A sample ransom note, when rendered in a web browser, is shown in Figure 4.

Figure 4. Sample PartyTicket ransom note

The special ID value is generated by calling the Go UUID function and is of no use.

Zscaler coverage

We ensured coverage of payloads seen in these attacks through advanced threat signatures as well as our advanced cloud sandbox.

Advanced Threat Protection

Win32.Trojan.HermeticWiper

Advanced Cloud Sandbox

Win32.Trojan.HermeticWiper

Figure 5 below shows the sandbox detection report for PartyTicket.

Figure 5. Zscaler Cloud Sandbox report – PartyTicket

*** This is a syndicated blog from the Security Bloggers Network of Blog Category Feed written by Brett Stone-Gross. Read the original post at: https://www.zscaler.com/blogs/security-research/technical-analysis-partyticket-ransomware


Source link